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Introduction 


The Freedom of Information Act 2000 (FOIA) and the Environmental 
Information Regulations 2004 (EIR) give the public rights to access 
information held by public authorities. 


An overview of the main provisions of FOIA and the EIR can be 
found in The Guide to Freedom of Information and The Guide to the 
Environmental Information Regulations. 


This is part of a series of guidance, which goes into more detail than 
the guides, to help public authorities to fully understand their 
obligations and promote good practice. 


This guidance explains in more detail how to apply FOIA exemptions 
and EIR exceptions relating to personal data. It therefore refers to 
the processing of personal data in accordance with the UK General 
Data Protection Regulation (UK GDPR) and the Data Protection Act 
2018 (DPA). It is a guide to our general recommended approach, 
although decisions will always be made on a case by case basis. 


The DPA and UK GDPR set out the UK data protection regime. The 
DPA also sets out separate data protection rules for the processing 
of personal data by competent authorities! for law enforcement 
purposes (DPA Part 3); and for processing by the intelligence 
services (DPA Part 4). For more information see our Guide to Data 
Protection. 


This guidance is based on precedents established under the Data 
Protection Act 1998 (DPA98). It will be regularly reviewed and kept 
in line with new decisions of the Information Commissioner, 
tribunals and courts. Additional guidance is available on our guidance 
pages. 


1 A competent authority for the purposes of law enforcement means a person 
specified in Schedule 7 of the DPA and any other person if, and to the extent that, 
the person has statutory functions to exercise public authority or public powers 
for the law enforcement purposes. 


Personal data of both the requester and others 
(section 40 and regulations 5(3) and 13) 
20201124 

Version: 2.1 


Overview 


e If a freedom of information (FOI) or EIR request asks for 
information which is solely the personal data of the requester, 
you should refuse the request under FOIA section 40(1) or under 
EIR regulation 5(3). You should then handle the request as a 
data protection subject access request. 


e Under FOIA section 40(5A), you are not obliged to confirm or 
deny whether you hold the information if this would disclose 
personal data relating to the requester. Under EIR regulation 
5(3) there is no duty to confirm nor deny that you hold 
information which is the personal data of the requester. 


e Where the request includes information which is both the 
personal data of the requester and a third party, and is so 
closely linked that it is not possible to separate it out, you should 
refuse that information under FOIA section 40(1) or EIR 
regulation 5(3) and consider it as a subject access request, as 
outlined above. 


e You should then consider whether to disclose the mixed data in 
your subject access response, in accordance with your data 
protection obligations about third-party personal data. 


e Where the information requested includes the requester’s 
personal data and also the separate (and clearly distinct) 
personal data of a third party, you should first handle the 
requester’s personal data as a subject access request, as 
outlined above. You should then consider disclosure of the 
remaining information and any third-party data separately under 
FOIA or the EIR. 


e If the information request includes the personal data of a third 
party (and no data relating to the requester), you should 
consider the whole request under FOIA or the EIR. 


e If you wish to neither confirm nor deny whether the requested 
third-party data is held, you should consider the relevant FOIA 
and EIR ‘neither confirm nor deny’ exemptions. 
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e Otherwise, in most cases, you should consider whether 
disclosure of the third-party personal data would contravene the 
data protection principles. 


What the legislation says 


Section 40(1) and 40(5A) of FOIA states: 


40.—(1) Any information to which a request for information 
relates is exempt information if it constitutes personal data 
of which the applicant is the data subject. 


40.—(5A) the duty to confirm or deny does not arise in 
relation to information which is (or if it were held by the 
public authority would be) exempt information by virtue of 
subsection (1). 


Regulation 5(3) of the EIR states: 


5.—(3) To the extent that the information requested 
includes personal data of which the applicant is the data 
subject, paragraph (1) shall not apply to those personal 
data. 


Paragraph (1) of the EIR, as referred to in regulation 5(3), requires 
that environmental information shall be made available by the 
public authority holding it on request. 


FOIA section 40(2) with 40(3A) and EIR regulation 13(1) with 
13(2A) state that personal data which is not the personal data of 
the requester (ie third-party personal data) should not be disclosed 
if this would contravene the data protection principles. This is the 
exemption you will consider in most cases. 
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The requester’s personal data 


If the requested information is the requester’s personal data, it is 
exempt under section 40(1) of FOIA and, under regulation 5(3) of 
the EIR, there is no obligation to make it available. 


You must handle a request for the requester’s personal data as a 
subject access request under the UK GDPR or the DPA, as 
applicable. Further information about how to deal with a subject 
access request is available in our UK GDPR guidance Right of access 
and in our law enforcement guidance The right of access. 


You should only use these exemptions if the identity of the 
requester is clear and you can confirm that the information is their 
personal data. If there is any doubt about the identity of the 
requester, you should deal with it as a request for someone else’s 
data. 


You must comply with the subject access request without undue 
delay and in any event within one month of receipt of the request. 
Strictly speaking, however, the time limits of FOIA and the EIR still 
apply, and you are still technically required to issue a refusal notice 
even though you do not have to confirm or deny whether you hold 
the information. 


Therefore, for practical purposes when a subject access request has 
been made as an FOI or EIR request, you should respond within 20 
working days or else explain within this time limit that you are 
dealing with the request under the UK GDPR or the DPA. 


Confirmation or denial 


In terms of FOIA, if the requested information is exempt under 
section 40(1), it is also important to note that under section 40(5A) 
there is no requirement for you to say whether or not you hold the 
requested information if this would itself disclose personal data 
relating to the requester. 


This means that when an individual requests information that is 
their own personal data under FOIA, you can respond by saying that 
you neither confirm nor deny that you hold it. This applies whether 
or not you do actually hold the personal data. The issue to consider 
is not whether you hold it but rather, if you did hold it, would 
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confirming or denying that it was held in itself disclose personal 
data relating to the requester? This applies even if the information 
is also the personal data of other individuals (mixed data). 


Under the EIR, there is no express provision regarding the duty to 
confirm or deny in relation to the personal data of the applicant. 
Under regulation 5(3) there is no obligation to provide information 
“to the extent that the information includes personal data of which 
the applicant is the data subject”. Rather than an exemption from 
the duty to provide information (as in section 40(1) of FOIA), there 
is simply no duty to provide such information, and therefore there is 
no duty to confirm or deny whether you hold it. 


This also means that there are no express refusal provisions within 
the EIR when the requested information is the personal data of the 
applicant. However, as a matter of good practice, you should 
explain to the applicant that you are not required to provide 
confirmation or denial by virtue of regulation 5(3). 


Although you will comply with FOIA or the EIR if you neither confirm 
nor deny that you hold the requester’s personal data, you should 
also go on to deal with the request as a subject access request. 


There are also separate FOI and EIR exemptions which allow you to 
neither confirm nor deny whether you hold third-party personal 
data. For further details, please see our guidance Neither confirm 
nor deny in relation to personal data. 


Requests involving multiple data subjects 


In cases where the requested information comprises the personal 
data of more than one individual, you should regard all the 
individuals as data subjects for the purposes of section 40 and 
regulations 5(3) and 13. 


Where one of these individuals is the requester, you should consider 
the extent to which the information is their personal data and so 
falls within section 40(1) or regulation 5(3). You should also 
consider whether the personal data of all the data subjects is 
inextricably linked or whether it can be clearly differentiated. 
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Requests where information comprises mixed personal 
data 


If the applicant’s personal data is inextricably linked to that of other 
data subjects, this mixed data is either exempt on the basis of FOIA 
section 40(1), or is not within the scope of the EIR by virtue of 
regulation 5(3). You should consider this part of the request in its 
entirety as a data protection subject access request. 


There is no requirement to assess the relative extent or significance 
of the different sets of personal data in order to establish the 
‘dominant’ data subject. This is because there is no basis for 
considering whether one individual’s data is more extensive or 
significant than the others. 


Example 

If an individual makes a FOI request to the police for 
information about a complaint they have made against a 
number of police officers, the details about the complaint 
itself will be the personal data of both the requester and the 
police officers concerned. 


The requester’s personal data will be exempt under FOIA 
section 40(1) and the complaints data about the officers will 
therefore be considered for disclosure under data protection 
obligations with respect to the subject access request. The 
requester cannot argue that the file is not their personal 
data because the police officers are the ‘principal’ data 
subjects?. 


Note that in this example, a request could be made by any 
one of the data subjects. In these circumstances, each 
request would be considered as a subject access request and 
would therefore be exempt under FOIA section 40(1) or EIR 
regulation 5(3). 


? Nicholas George Fenney v the Information Commissioner (EA/2008/0001; 26 
June 2008) 
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It is also important to note that if the individual requests 
information about a complaint they have made regarding the 
treatment of someone else by the police officers, the details 
of the complaint will be the requester’s personal data but 
much of the requested information may be the personal data 
of that other person. If the other person’s data is separate 
to the requester’s, that part of the request will be handled 
under FOIA. 


Considering the disclosure of third-party personal data 
under a data protection subject access request 


If the requested information includes the mixed personal data of the 
requester and a third party which cannot be separated, you should 
automatically deal with this part of the request as a data protection 
subject access request. 


You must consider under the DPA whether you can disclose the 
third-party information to the requester. The test you apply will 
depend upon the nature of the personal data requested and the 
reasons why you are holding it and processing it: 


Type of Exemptions for third- | Test for disclosure 

personal data | party personal data 

processed under the subject (See exemption 

access right for full details) 

General Schedule 2 Part 3 (a) has the third 
processing paragraph 16(1) of the | party consented to 
under the UK DPA. the disclosure? 
GDPR 


(b) is it reasonable in 
the circumstances to 
disclose the third- 
party data without 
their consent? 
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Processing for 
law enforcement 
purposes (under 
DPA Part 3) 


Part 3 Chapter 3 
Section 45(4)(e) of the 
DPA. 


Is it a necessary and 
proportionate 
measure to refuse 
disclosure in order to 
protect the rights and 
freedoms of others? 


Intelligence Part 4 Chapter 3 (a) has the third 
services section 94(6) of the party consented to 
processing DPA. the disclosure? 
(under DPA Part 

4) (b) is it reasonable in 


the circumstances to 
disclose the third- 
party data without 


their consent? 


For further information, please see our UK GDPR guidance Right of 
access and our law enforcement guidance The right of access. 
There is also further detail in the guidance What is personal data? 


FOIA and EIR requests where information relates only to 
third parties 


You need to take a different approach if a document contains the 
personal data of the applicant, but also some separate information 
which relates only to third parties. 


You should handle the part of the request that relates to the 
applicant’s personal data separately as a subject access request. 
You should consider whether to refuse to confirm or deny you hold 
the information, as explained above. 


You should deal with the remaining information that is distinct third- 
party data under FOIA section 40(2) or EIR regulation 13(1), or 
under the relevant neither confirm nor deny provisions, as 
appropriate. 
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This also applies if the information request relates only to the 
personal data of a third party (and not to the requester). In these 
circumstances, you should consider the whole request under FOIA 
or the EIR. 


With respect to the third-party personal data, you should first 
consider the neither confirm nor deny provisions under FOIA 
sections 40(5B) or EIR regulations 13(5A) and (5B). Further 
information is provided in our guidance Neither confirm nor deny 
in relation to personal data. 


If the information is held and you do not wish to apply the neither 
confirm nor deny exemption, you must then consider whether to 
disclose the third-party personal data under FOIA or the EIR, or 
whether to apply the exemptions at section 40(2) or regulation 
13(5). 


In most cases, you should consider whether disclosure of the third- 
party personal data would contravene the data protection principles. 
For further information, please see our guidance: Personal 
information. 


Complaint files 


The personal data of multiple data subjects is often an issue in 
requests for information contained in complaints files, particularly in 
circumstances where a complaint has been made by one person 
against other individual(s). 


A person making a request for a complaint file will often be the 
individual who made the complaint and, in addition to containing 
their personal data, the file will usually contain personal data of 
other individuals. 


We have produced guidance on Access to information held in 
complaint files which, in addition to considering the extent to which 
such information comprises personal data, provides examples of 
requests that relate to the personal data of more than one 
individual. 
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Other considerations 


You might also want to consider our guidance on Personal 
information which discusses the exemption for personal 
information under FOIA and the EIR. 


Additional guidance is available on our guidance pages if you need 
further information on the public interest test, other FOIA 
exemptions, or EIR exceptions. 


More information 


We have developed this guidance drawing on ICO experience. 
Because of this it may provide more detail on issues that are often 
referred to the Information Commissioner than on those we rarely 
see. We will regularly review the guidance and keep it in line with 
new decisions of the Information Commissioner, tribunals and 
courts. 


It is a guide to our general recommended approach, although we 
will always assess individual cases on the basis of their particular 
circumstances. 


If you need any more information about this or any other aspect of 
freedom of information, please contact us, see our website 
www.ico.org.uk. 
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